Your network contains an Active Directory forest named contoso.com.
Your company works with a partner company that has an Active Directory forest named
fabrikam.com. Both forests contain domain controllers that run only Windows Server 2012 R2.
The certification authority (CA) infrastructure of both companies is configured as shown in the
following table.
You need to recommend a certificate solution that meets the following requirements:
Server authentication certificates issued from fabrikam.com must be trusted automatically by the
computers in contoso.com.
The computers in contoso.com must not trust automatically any other type of certificates issued
from the CA hierarchy in fabrikam.com.
What should you include in the recommendation?
A.
Deploy a Group Policy object (GPO) that defines intermediate CAs. Import a certificate that has an
application policy object identifier (OID) of CA Encryption Certificate.
B.
Deploy a Group Policy object (GPO) that defines an enterprise trust. Import a certificate that has
an application policy object identifier (OID) of Microsoft Trust List Signing.
C.
Deploy a Group Policy object (GPO) that defines an enterprise trust. Import a certificate that has
an application policy object identifier (OID) of CA Encryption Certificate.
D.
Deploy a Group Policy object (GPO) that defines intermediate CAs. Import a certificate that has an
application policy object identifier (OID) of Microsoft Trust List Signing.
Answer B seems correct if I understand these two links properly
http://windowsitpro.com/security/how-do-i-create-certificate-trust-list-domain
https://technet.microsoft.com/en-us/library/cc772491.aspx
This link might help as well
https://technet.microsoft.com/en-gb/library/cc737306(v=ws.10).aspx